Apktool v2.2.4 Released

Apktool v2.2.4 has been released! This release packs some important security fixes, along with patching some slowdowns Apktool experienced when decoding applications.

This release also had a few security related fixes, I'd like to thank Chris Shepherd (IBM Security) & Eran Vaknin, Gal Elbaz, Alon Boxiner (Checkpoint) who responsibly disclosed these to me. There is a blog post going into details for those who are curious. If you use apktool in a situation that the public can use it (ie some hosted service), you will want to upgrade.

If you missed the news, Apktool received its first sponsor from Sourcetoad which has helped speed development of releases. You can read about that here.

[#1534] - Fix issue with APKs that last resource in pool is INVALID_TYPE_CONFIG.

[#1564] - Fix issue with APKs that are including malformed characters to break parser.

Only exit with 0 error code during version commands.

Enforce license header on all source files.

[Security] Prevent malicous directory traversal with unknown files.

[Security] Prevent XXE vulnerability when given a malicious AndroidManifest.xml

Upgrade to gradle 4.0.

Notes

For those using apktool at your own leisure in your own environment - you can update at your own pace. For those who apktool in any public facing environment, it is highly recommended to upgrade to 2.2.4 due to the included security fixes as soon as possible. As mentioned above, more details to these security issues and steps taken to resolve can be found here.